File Spider
File Spider is a ransomware that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. Payload Transmission File Spider is distributed through spam. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer. The spam start with subjects like "Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian. These emails will have an attached word document with malicious macros that pretends to be a debt collection notice, which according to Google Translate is written in Croatian. If a user clicks on the Enable Editing, followed by the Enable Content buttons, the embedded macro will download the ransomware executables from a remote site and execute them. The macro contains a Base64 encoded PowerShell script that when executed will download XOR encrypted files called enc.exe and dec.exe from a remote site. The URLs that are used to download the files are currently: http://yourjavascript.com/5118631477/javascript-dec-2-25-2.js http://yourjavascript.com/53103201277/javascript-enc-1-0-9.js When downloading the files, they will be decrypted and saved to the %AppData% \Spider folder. The PowerShell script will then execute both enc.exe, which is the encrypter, and dec.exe, which is the decrypter and gui, with the following commands: "%AppData%\Roaming\Spider\enc.exe" spider ktn 100 "%AppData%\Roaming\Spider\dec.exe" spider File Spider will now begin to encrypt the victim's computer. Infection Once the macros in the malicious document execute, the ransomware will be downloaded and executed on the computer. This will cause two processes to be executed called enc.exe and dec.exe. Dec.exe is the decryptor and GUI for the ransomware and will quietly run in the background until enc.exe, which is the encryptor, is finished encrypting the computer. While enc.exe is running, it will scan the local drivers of the computer and encrypt any files that match targeted extension with AES-128 bit encryption. The file extensions that are targeted by File Spider are listed at the end of this article. This AES key is then encrypted using a bundled RSA key and saved When encrypting, it will skip files located in the following folders: tmp Videos winnt Application Data Spider PrefLogs Program Files (x86) Program Files ProgramData Temp Recycle System Volume Information Boot Windows When a file is encrypted, it will log the original file name to %UserProfile%\AppData\Roaming\Spider\files.txt and append the .spider extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.spider. It encrypts the following file extensions: .lnk, .url, .contact, .1cd, .dbf, .dt, .cf, .cfu, .mxl, .epf, .kdbx, .erf, .vrp, .grs, .geo, .st, .conf, .pff, .mft, .efd, .3dm, .3ds, .rib, .ma, .sldasm, .sldprt, .max, .blend, .lwo, .lws, .m3d, .mb, .obj, .x, .x3d, .movie, .byu, .c4d, .fbx, .dgn, .dwg, .4db, .4dl, .4mp, .abs, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .a3d, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .bak, .backup, .cdb, .ckp, .clkw, .cma, .crd, .daconnections, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wal, .db2, .db3, .dbc, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dxl, .eco, .ecx, .edb, .emd, .eql, .fcd, .fdb, .fic, .fid, .fil, .fm5, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtml, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .s3m, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdf, .spq, .sqb, .stp, .sql, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc, .cdr, .cdr3, .ppt, .pptx, .1st, .abw, .act, .aim, .ans, .apt, .asc, .ascii, .ase, .aty, .awp, .awt, .aww, .bad, .bbs, .bdp, .bdr, .bean, .bna, .boc, .btd, .bzabw, .chart, .chord, .cnm, .crwl, .cyi, .dca, .dgs, .diz, .dne, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dsv, .dvi, .dx, .eio, .eit, .email, .emlx, .epp, .err, .etf, .etx, .euc, .fadein, .faq, .fb2, .fbl, .fcf, .fdf, .fdr, .fds, .fdt, .fdx, .fdxt, .fes, .fft, flr, .fodt, .fountain, .gtp, .frt, .fwdn, .fxc, .gdoc, .gio, .gpn, .gsd, .gthr, .gv, .hbk, hht, .hs, .htc, .hwp, .hz, .idx, .iil, .ipf, .jarvis, .jis, .joe, .jp1, .jrtf, .kes, .klg, .knt, .kon, .kwd, .latex, .lbt, .lis, .lit, .lnt, .lp2, .lrc, .lst, .ltr, .ltx, .lue, .luf, .lwp, .lxfml, .lyt, .lyx, .man, .map, .mbox, .md5txt, .me, .mell, .min, .mnt, .msg, .mwp, .nfo, .njx, .notes, .now, .nwctxt, .nzb, .ocr, .odm, .odo, .odt, .ofl, .oft, .openbsd, .ort, .ott, .p7s, .pages, .pfs, .pfx, .pjt, .plantuml, .prt, .psw, .pu, .pvj, .pvm, .pwi, .pwr, .qdl, .rad, .readme, .rft, .ris, .rng, .rpt, .rst, .rt, .rtd, .rtf, .rtx, .run, .rzk, .rzn, .saf, .safetext, .sam, .scc, .scm, .scriv, .scrivx, .sct, .scw, .sdm, .sdoc, .sdw, .sgm, .sig, .skcard, .sla, .slagz, .sls, .smf, .sms, .ssa, .strings, .stw, .sty, .sub, .sxg, .sxw, .tab, .tdf, tex, text, .thp, .tlb, .tm, .tmv, .tmx, .tpc, .trelby, .tvj, .txt, .u3d, .u3i, .unauth, .unx, .uof, .uot, .upd, .utf8, .unity, .utxt, .vct, .vnt, .vw, .wbk, .wcf, .webdoc, .wgz, .wn, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpd, .wpl, .wps, .wpt, .wpw, .wri, .wsc, .wsd, .wsh, .wtx, .xbdoc, .xbplate, .xdl, .xlf, .xps, .xwp, .xy3, .xyp, .xyw, .ybk, .yml, .zabw, .zw, .2bp, .036, .3fr, .0411, .73i, .8xi, .9png, .abm, .afx, .agif, .agp, .aic, .albm, .apd, .apm, .apng, .aps, .apx, .art, .artwork, .arw, .asw, .avatar, .bay, .blkrt, .bm2, .bmp, .bmx, .bmz, .brk, .brn, .brt, .bss, .bti, .c4, .cal, .cals, .can, .cd5, .cdc, .cdg, .cimg, .cin, .cit, .colz, .cpc, .cpd, .cpg, .cps, .cpx, .cr2, .ct, .dc2, dcr, .dds, .dgt, .dib, .dicom, .djv, .djvu, .dm3, .dmi, .vue, .dpx, .wire, .drz, dt2, .dtw, .dvl, .ecw, .eip, .exr, .fal, .fax, .fpos, .fpx, .g3, .gcdp, .gfb, .gfie, .ggr, .gif, .gih, .gim, .gmbck, .gmspr, .spr, .scad, .gpd, .gro, .grob, .hdp, .hdr, .hpi, .i3d, .icn, .icon, .icpr, .iiq, .info, .int, .ipx, .itc2, .iwi, .j, .j2c, .j2k, .jas, .jb2, .jbig, jbig2, jbmp, .jbr, .jfif, .jia, .jng, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, .jtf, .jwl, .jxr, .kdc, .kdi, .kdk, .kic, .kpg, .lbm, .ljp, .mac, .mbm, .mef, .mnr, .mos, .mpf, .mpo, .mrxs, .myl, .ncr, .nct, .nlm, .nrw, .oc3, .oc4, .oc5, .oci, .omf, .oplc, .af2, .af3, .ai, .asy, .cdmm, .cdmt, .cdmtz, .cdmz, .cdt, .cgm, .cmx, .cnv, .csy, .cv5, .cvg, .cvi, .cvs, .cvx, .cwt, .cxf, .dcs, .ded, .design, .dhs, .dpp, .drw, .dxb, .dxf, .egc, .emf, .ep, .eps, .epsf, .fh10, .fh11, .fh3, fh4, fh5, .fh6, .fh7, .fh8, .fif, .fig, .fmv, .ft10, .ft11, .ft7, .ft8, .ft9, .ftn, .fxg, .gdraw, .gem, .glox, .hpg, .hpgl, .hpl, .idea, .igt, .igx, .imd, .vbox, .vdi, .ink, .lmk, .mgcb, .mgmf, .mgmt, .mt9, .mgmx, .mgtx, .mmat, .mat, .otg, .ovp, .ovr, .pcs, .pfd, .pfv, .pl, .plt, .pm, .vrml, .pmg, .pobj, .ps, .psid, .rdl, .scv, .sk1, .sk2, .slddrt, .snagitstamps, .snagstyles, .ssk, .stn, .svf, .svg, .svgz, .sxd, .tlc, .tne, .ufr, .vbr, .vec, .vml, .vsd, .vsdm, .vsdx, .vstm, .stm, .vstx, .wmf, .wpg, .vsm, .vault, .xar, .xmind, .xmmap, .yal, .orf, .ota, .oti, .ozb, .ozj, .ozt, .pal, .pano, .pap, .pbm, .pc1, .pc2, .pc3, .pcd, .pcx, .pdd, .pdn, .pe4, .pef, .pfi, .pgf, .pgm, .pi1, .pi2, .pi3, .pic, .pict, .pix, .pjpeg, .pjpg, .png, .pni, .pnm, .pntg, .pop, .pp4, .pp5, .ppm, .prw, .psd, .psdx, .pse, .psp, .pspbrush, .ptg, .ptx, .pvr, .px, .pxr, .pz3, .pza, .pzp, .pzs, .z3d, .qmg, .ras, .rcu, .rgb, .rgf, .ric, .riff, .rix, .rle, .rli, .rpf, .rri, .rs, .rsb, .rsr, .rw2, .rwl, .s2mv, .sai, .sci, .sep, .sfc, .sfera, .sfw, .skm, .sld, .sob, .spa, .spe, .sph, .spj, .spp, .sr2, .srw, .ste, .sumo, .sva, .save, .ssfn, .t2b, .tb0, .tbn, .tfc, .tg4, .thm, .thumb, .tif, .tiff, .tjp, .tm2, .tn, .tpi, .ufo, .uga, .usertile-ms, .vda, .vff, .vpe, .vst, .wb1, .wbc, .wbd, .wbm, .wbmp, .wbz, .wdp, .webp, .wpb, .wpe, .wvl, .x3f, .y, .ysp, .zif, .cdr4, .cdr6, .cdrw, .pdf, .pbd, .pbl, .ddoc, .css, .pptm, .raw, .cpt, .tga, .xpm, .ani, .flc, .fb3, .fli, .mng, .smil, .mobi, .swf, .html, .xls, .xlsx, .csv, .xlsm, .ods, .xhtm, .7z, .m2, .rb, .rar, .wmo, .mcmeta, .m4a, .itm, .vfs0, .indd, .sb, .mpqge, .fos, .p7c, .wmv, .mcgame, .db0, .p7b, .vdf, .DayZProfile, .p12, .d3dbsp, .ztmp, .rofl, .sc2save, .sis, .hkx, .pem, .dbfv, .sie, .sid, .bar, .crt, .sum, .ncf, .upk, .cer, .wb2, .ibank, .menu, .das, .der, .t13, .layout, .t12, .dmp, .litemod, .dxg, .qdf, .blob, .asset, xf, esm, forge, tax, .001, .r3d, .pst, .pkpass, .vtf, .bsa, .bc6, .dazip, .apk, .bc7, .fpk, .re4, .bkp, .mlx, .sav, .raf, .qic, .kf, .lbf, .bkf, .iwd, .slm, .xlk, .sidn, .vpk, .bik, .mrwref, .xlsb, .sidd, .tor, .epk, .mddata, .psk, .rgss3a, .itl, .rim, .pak, .w3x, .big, .icxs, .fsh, .unity3d, .hvpl, .ntl, .wotreplay, .crw, .hplg, .arch00, .xxx, .hkdb, .lvl, .desc, .mdbackup, .snx, .py, .srf, .odc, .syncdb, .cfr, .m3u, .gho, .ff, .odp, .cas, .vpp_pc, .js, .dng, .lrf, .c, .cpp, .cs, .h, .bat, .ps1, .php, .asp, .java, .jar, .class, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .fla, .as3, .as, .docb, .xlt, .xlm, .xltx, .xltm, .xla, .xlam, .xll, .xlw, .pot, .pps, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .aif, .iff, .m4u, .mid, .mpa, .ra, .3gp, .3g2, .asf, .asx, .vob, .m3u8, .mkv, .dat, .efx, .vcf, .xml, .ses, .zip, .7zip, .mp4, .3gp, .webm, .wmv In each folder that a file is encrypted, the encryptor will also create a ransom note named HOW TO DECRYPT FILES.url, which when clicked on will open a video tutorial at the URL https://vid.me/embedded/CGyDc?autoplay=1&stats=1. The ransom note says the following: As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool. The good news is that there is still a chance to recover your files, you just need to have the right key. To obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key! Remember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC. To avoid any misunderstanding, please read Help section. The encryptor will also create a file on the desktop called DECRYPTER.url, which launches the dec.exe file. Finally, the enc.exe program will create a file called %UserProfile%\AppData\Roaming\Spider\5p1d3r and exit. When the dec.exe program detects that this file is created, it will display the decrypter GUI. This GUI contains multiple tabs that allow you to switch the language between English and Croatian, display the TOR payment site located at http://spiderwjzbmsmu7y.onion, the victim's ID code that is needed to login to the TOR site, the decrypter, and a help file. The GUI also contains a contact email of file-spider@protonmail.ch. When a user goes to the TOR site, they will be prompted to login using the victim ID found in the decryptor GUI. Once logged in, they will be presented with a page that provides instructions on how to pay the ransom, which is currently .00726 bitcoins, or around $123.25, to get the files back. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Trojan Category:Assembly